CVE-2018-12397

LOW

Description

A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. This vulnerability affects Firefox ESR < 60.3 and Firefox < 63.

References

http://www.securityfocus.com/bid/105718

http://www.securitytracker.com/id/1041944

https://access.redhat.com/errata/RHSA-2018:3005

https://access.redhat.com/errata/RHSA-2018:3006

https://bugzilla.mozilla.org/show_bug.cgi?id=1487478

https://lists.debian.org/debian-lts-announce/2018/11/msg00008.html

https://security.gentoo.org/glsa/201811-04

https://usn.ubuntu.com/3801-1/

https://www.debian.org/security/2018/dsa-4324

https://www.mozilla.org/security/advisories/mfsa2018-26/

https://www.mozilla.org/security/advisories/mfsa2018-27/

Details

Source: MITRE

Published: 2019-02-28

Updated: 2019-03-01

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 3.6

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 3.9

Severity: LOW

CVSS v3.0

Base Score: 7.1

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Impact Score: 5.2

Exploitability Score: 1.8

Severity: HIGH

Vulnerable Software

ID	Name	Product	Family	Severity
123356	openSUSE Security Update : Mozilla Firefox (openSUSE-2019-855)	Nessus	SuSE Local Security Checks	high
700410	Mozilla Firefox < 63 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
120158	SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2018:3656-1)	Nessus	SuSE Local Security Checks	high
119903	EulerOS 2.0 SP2 : firefox (EulerOS-SA-2018-1414)	Nessus	Huawei Local Security Checks	high
119564	EulerOS 2.0 SP3 : firefox (EulerOS-SA-2018-1384)	Nessus	Huawei Local Security Checks	high
119553	SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2018:3749-2)	Nessus	SuSE Local Security Checks	high
119146	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : firefox regressions (USN-3801-2)	Nessus	Ubuntu Local Security Checks	high
118953	SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2018:3749-1)	Nessus	SuSE Local Security Checks	high
118848	GLSA-201811-04 : Mozilla Firefox: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
118808	Debian DLA-1571-1 : firefox-esr security update	Nessus	Debian Local Security Checks	high
118709	Oracle Linux 6 : firefox (ELSA-2018-3006)	Nessus	Oracle Linux Local Security Checks	high
118444	openSUSE Security Update : Mozilla Firefox (openSUSE-2018-1268)	Nessus	SuSE Local Security Checks	high
118443	Scientific Linux Security Update : firefox on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	high
118442	Scientific Linux Security Update : firefox on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
118406	CentOS 6 : firefox (CESA-2018:3006)	Nessus	CentOS Local Security Checks	high
118405	CentOS 7 : firefox (CESA-2018:3005)	Nessus	CentOS Local Security Checks	high
118397	Mozilla Firefox < 63 Multiple Vulnerabilities	Nessus	Windows	high
118396	Mozilla Firefox < 63 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	high
118395	Mozilla Firefox ESR < 60.3 Multiple Vulnerabilities	Nessus	Windows	high
118394	Mozilla Firefox ESR < 60.3 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	high
118393	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : firefox vulnerabilities (USN-3801-1)	Nessus	Ubuntu Local Security Checks	high
118375	RHEL 6 : firefox (RHSA-2018:3006)	Nessus	Red Hat Local Security Checks	high
118374	RHEL 7 : firefox (RHSA-2018:3005)	Nessus	Red Hat Local Security Checks	high
118368	Oracle Linux 7 : firefox (ELSA-2018-3005)	Nessus	Oracle Linux Local Security Checks	high
118365	Debian DSA-4324-1 : firefox-esr - security update	Nessus	Debian Local Security Checks	high
118336	FreeBSD : mozilla -- multiple vulnerabilities (7c3a02b9-3273-4426-a0ba-f90fad2ff72e)	Nessus	FreeBSD Local Security Checks	high